GWT RequestFactory support for user permissions?

[Marius Grama]

Hi,

is there a possibility/tweak in the newly released GWT 2.4.0
RequestFactory API to integrate user permissions for executing
specific service actions (like an ActionValidator used in gwtp library
http://code.google.com/p/gwt-platform/wiki/IntroductionActionValidator
) ?

Say there is a need in the Employee entity from the RequestFactory
DevGuide : http://code.google.com/webtoolkit/doc/latest/DevGuideRequestFactory.html
to allow add/remove operations to be executed only by users with
administrative rights. Could there be this functionality integrated
with the currently released RequestFactory ?

[Y2i]

This seems to be related to issue 6051.

[Marius Grama]

The technique evoqued on the ticket that you reffer could be applied into adding permission based annotations on the methods and verifying on the user if the user contains the permissions required by the annotation.

This would come with the overhead of adding an own ServiceLayerDecorator implementation. But in the ServiceLayerDecorator I'd need to obtain the User object from the session (with its rights associated in order to query if they match the security annotation on the service method to be called),but from the source code of the RequestFactoryServlet class i see (line 131 on http://code.google.com/p/google-web-toolkit/source/browse/trunk/user/src/com/google/web/bindery/requestfactory/server/RequestFactoryServlet.java?r=10212)

that only the jsonString contained on the request is passed to be processed:

String payload = processor.process(jsonRequestString);

and not the whole HttpServletRequest object.

Any hints on how I could obtain the currently logged in user in the ServiceLayerDecorator implementation?

[Thomas Broyer]

RequestFactoryServlet.getThreadLocalRequest().getRemoteUser() (or getUserPrincipal()) ?

[Marius Grama]

Thanks for the hint. This is what i was looking for.